Lexaving

The EU AI Act Explained: A Plain-English Guide for Businesses (2026)

by

omaryoyo
in

Last reviewed: May 2026. This guide explains the EU AI Act in plain English. It is general information, not legal advice — see the note at the end.

What the EU AI Act is, in one minute

The EU AI Act is the European Union’s law for artificial intelligence. It is the first broad, horizontal AI law of its kind anywhere in the world, and it works a little like a product-safety regime: instead of banning or allowing AI outright, it sorts AI systems by how much risk they pose and attaches heavier duties to the riskier ones.

The official reference is Regulation 2024/1689. It was published in the EU’s Official Journal in July 2024 and entered into force on 1 August 2024. That date started the clock, but the actual obligations switch on in stages over the following years rather than all at once.

If you build, sell, deploy, or even buy AI systems that reach people in the EU, this law can apply to you — and, importantly, it applies regardless of where your company is based. That extraterritorial reach is the single most misunderstood part of the Act, and it is where most non-EU companies get caught off guard.

Who the Act actually applies to

The Act uses specific words for the roles it regulates. The two you will hear most often are provider (broadly, whoever develops an AI system or puts it on the market under their name) and deployer (whoever uses an AI system in a professional capacity). Your duties differ depending on which role you are in — and a single company can be both.

The reach extends beyond the EU’s borders. A company headquartered in the United States, the United Kingdom, or anywhere else falls within scope if its AI system is used by, or produces outputs affecting, people in the EU. This mirrors how the GDPR reached far outside Europe after 2018, and businesses that remember that period tend to take this seriously the second time around.

Smaller organisations are not automatically exempt. Startups and SMEs can fall within scope, although the Act softens some penalties for them. The practical takeaway is the same for everyone: you cannot assume the law does not touch you simply because you are small, or because you are outside Europe.

The risk tiers — the heart of the Act

Everything in the Act flows from one idea: the obligations scale with risk. Systems are sorted into tiers, and the tier determines what you must do.

Unacceptable risk (prohibited)

A small set of uses are simply banned because they are considered a clear threat to people’s rights and safety — examples include certain kinds of social scoring and manipulative systems. These prohibitions have been among the first parts of the Act to take effect, and breaching them carries the steepest penalties.

High risk

This is the tier that matters most for the majority of businesses, because it carries real, operational obligations. High-risk uses include AI in areas such as hiring and recruitment, credit scoring, and biometrics — situations where a wrong or biased decision can seriously affect someone’s life. Providers of high-risk systems face requirements around risk management, data governance, technical documentation, human oversight, and conformity assessment before the system goes to market. Deployers have their own, lighter set of duties.

Limited risk

Some systems carry transparency duties rather than the full high-risk burden. The classic example is a chatbot or AI-generated content: people generally have to be told they are interacting with, or looking at the output of, an AI.

Minimal risk

The large majority of everyday AI — spam filters, recommendation features, and the like — falls here, with few or no specific obligations. Most ordinary business software sits in this tier.

There is also a separate set of rules for general-purpose AI models (the large foundation models behind tools like GPT-4, Claude, and Gemini), with obligations on the providers of those models that began phasing in during 2025.

The timeline — and why it is moving right now

The Act does not land all at once. It phases in over roughly three years from entry into force, and the dates are the part everyone is watching.

  • 1 August 2024 — the Act entered into force. This started the compliance clock; no substantive duties applied yet.
  • 2 February 2025 — the bans on unacceptable-risk practices became enforceable.
  • 2 August 2025 — obligations for providers of general-purpose AI models took effect.
  • 2 August 2026 — the date most often cited for high-risk system obligations to apply. This is the deadline the majority of enterprises are planning around.
  • 2 August 2027 — full application, including AI embedded in regulated products.

An important caveat as of mid-2026: these high-risk dates are under active negotiation. In November 2025 the European Commission proposed deferring some high-risk obligations, and in May 2026 EU lawmakers reached a political agreement to revise parts of the timeline — but that revision was still subject to formal adoption at the time of writing. Until any change is formally enacted into law, the original dates remain in force as written. The sensible posture is the one most legal advisers are recommending: keep preparing against the existing 2 August 2026 deadline while monitoring whether the revisions are formally adopted. Planning for the earlier date and being granted more time is a far safer mistake than the reverse.

The penalties

The Act’s fines are designed to be large enough to deter even the biggest companies — and at the top end they exceed the GDPR’s. The maximum penalty is set at up to €35 million, or 7% of a company’s total worldwide annual turnover, whichever is higher, for the most serious breaches such as using prohibited systems. Lower tiers of fines apply to other kinds of violations. For SMEs and startups, fines are generally capped at the lower of the fixed sum or the percentage — but even the lowest tier is large enough to threaten the survival of an early-stage company.

How the AI Act and GDPR fit together

A common misconception is that the AI Act replaces the GDPR. It does not. The two laws run in parallel and apply at the same time to any AI system that processes personal data. The GDPR governs how personal data is handled; the AI Act governs how the AI system itself is built, documented, and overseen. In practice this creates compound obligations, and the teams that cope best treat the two as one coordinated compliance effort rather than two separate projects. If your AI processes personal data — and most enterprise AI does — you are very likely subject to both.

What a sensible business should do now

You do not need to solve everything at once. A practical sequence looks like this:

  • Inventory your AI. List every AI system you build, use, or buy. You cannot assess what you have not mapped.
  • Classify each system by risk tier. Most will be minimal; the work is in finding the ones that are high-risk or prohibited.
  • Focus your effort on the high-risk systems. These are where the real obligations — risk management, documentation, human oversight, conformity assessment — live.
  • Coordinate with your GDPR work. Handle data protection and AI governance together, not in separate silos.
  • Build an audit trail. Being able to show what you did, and when, is much of what compliance actually means in practice.
  • Watch the timeline. Keep an eye on whether the proposed deadline changes are formally adopted, and adjust your plan only when they are.

Many organisations use dedicated governance, risk, and compliance software to manage this — to keep the AI inventory, run risk assessments, and produce the documentation and audit logs the Act expects. Choosing the right tool depends on your size and which systems you run; that is the subject of a separate comparison guide.

The bottom line

The EU AI Act is a binding, risk-based law with real teeth and a reach that extends well beyond Europe. The dates are in flux, but the direction is not: AI governance is becoming a documented, auditable obligation rather than a nice-to-have. The organisations that start early — by mapping their systems and integrating AI and data-protection compliance — will find the deadline far less painful than those who wait for the timeline to settle before they begin.

Disclaimer: This guide provides general information about the EU AI Act and is not legal advice. Regulation in this area is complex and changing, and the way the law applies depends on your specific circumstances. Consult a qualified legal professional before making compliance decisions. Some links elsewhere on this site are affiliate links; if you buy through them we may earn a commission at no extra cost to you.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *